the attacker only has access to the memory of your machine after the password is processed ?

There are two considerations. The most common one is that the attacker makes your process dump core, then uses a separate attack to read the core file. If the password exists in memory for only a brief moment this attack becomes impractical.

The second one is a general/theoretical weakness of any multi-level security system. In any flawlessly implemented MLS system there is still some bandwidth to leak information downwards. The better implemented the system, the smaller the bandwidth. If information exists only briefly it becomes impractical to leak it using the available bandwidth.

I would imagine that it's fairly unlikely scenario,but not impossible. For example, if this is a sharedcomputer, the person who comes up behind me may peekaround memory after my program has completed, and ifno other program has incidentally overwritten thosechars, the attacker can find them.

even still if that was me doing the attacking I certainly wouldn't be trying todump the memory from your machine, I would just install a little programto trap the password as you enter it in, or something similar. much easier.

At some point the passwords enters memory in plainform and that must be a weak point.

Well, you could catch the keystrokes and hash them as they're input. But how do you know that someone hasn't put a low-level interceptor on your keyboard driver? Or isn't picking up the electrical signals transmitted from your keyboard? Or even the electrical signals generated by your CPU while you're processing the password?.

Well, you could catch the keystrokes and hash them asthey're input. But how do you know that someone hasn'tput a low-level interceptor on your keyboard driver?Or isn't picking up the electrical signals transmittedfrom your keyboard? Or even the electrical signalsgenerated by your CPU while you're processing thepassword?.